You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by nsayer <ns...@kfu.com> on 2012/01/04 21:51:29 UTC
SPF tests and authenticated SMTP
I'm running a brand new installation of SA 3.3.2 with the Milter on FreeBSD
8.2.
Everything is going smoothly, for the most part (there seems to be one
particular spammer who's evading SA, but whatever), but there's one little
thing that bugs me slightly.
I use authenticated SMTP to send e-mail. The SPF records for my domain
(kfu.com) basically say that mail must come from my mail server and nowhere
else. However, my expectation is that my mail server should make an
exception if (and only if) the mail is sent with SMTP AUTH.
However, such mail winds up getting SPF_FAIL in the SA report.
Here's a received header example:
Received: from {my laptop} ({hostname of NAT gateway it happens to be
behind} [x.x.x.x])
(authenticated bits=0)
by quack.kfu.com (8.14.5/8.14.5) with ESMTP id q04K12lj052202
(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO)
for <ns...@kfu.com>; Wed, 4 Jan 2012 12:01:05 -0800 (PST)
(envelope-from nsayer@kfu.com)
I assert that Mail::SPF should regard Received: headers that have the
"authenticated" modifier in them as being ennobled and SPF should not apply.
Is there some mechanism for this?
--
View this message in context: http://old.nabble.com/SPF-tests-and-authenticated-SMTP-tp33081983p33081983.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SPF tests and authenticated SMTP
Posted by nsayer <ns...@kfu.com>.
More info...
I've added sid-filter to the mix, and now I'm getting this additional
header:
Authentication-Results: quack.kfu.com; sender-id=fail (NotPermitted)
header.from=nsayer@kfu.com; auth=pass (PLAIN); spf=fail (NotPermitted)
smtp.mfrom=nsayer@kfu.com
But Mail::SpamAssassin::Plugin::SPF does this:
elsif ($hdr =~ /^Authentication-Results:.*;\s*SPF\s*=\s*([^;]*)/i) {
which ignores the 'auth' result.
--
View this message in context: http://old.nabble.com/SPF-tests-and-authenticated-SMTP-tp33081983p33082119.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SPF tests and authenticated SMTP
Posted by nsayer <ns...@kfu.com>.
David B Funk wrote:
>
>
> I'm not familiar with the FreeBSD ports tree, but if its
> spamass-milter-0.3.2 is the same as the one from
> http://www.freshports.org/mail/spamass-milter/ then it does -not-
> add the auth tokens to its internally synthesized "Received" header.
> Thus your problem.
>
>
>
I took a closer look at the port and it has the option to enable an extra
patch to add a "-a" flag to the milter's command line, which I had not
enabled. That flag causes it to skip SA entirely on mail sent over
authenticated connections. That appears to work, and solves the problem.
Thanks for steering me the right way.
--
View this message in context: http://old.nabble.com/SPF-tests-and-authenticated-SMTP-tp33081983p33089748.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SPF tests and authenticated SMTP
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Thu, 5 Jan 2012, nsayer wrote:
> David B Funk wrote:
>>
>> Noel,
>> I assume that you're saying he has a sendmail config problem because his
>> SA isn't 'seeing' the auth tokens. That might not be the case, it may be
>> his milter that is at fault.
>>
>> SA depends upon the auth tokens that your MTA adds to its "Received:"
>> header to recognize properly authed messages.
>> However in a sendmail+milter system, the milter gets the incoming mail
>> stream -before- any local MTA additions. So it's the milter's
>> responsibility to synthesize a "Received:" header in what it passes on to
>> SA that faithfully mimics what the MTA would generate.
>> Not all milters get that right, particularly with auth tokens.
>>
>> Nick,
>> Which specific milter are you using and which version of that milter?
>>
>
> I'm using everything straight out of the FreeBSD ports tree:
>
> spamass-milter-0.3.2
> p5-Mail-SpamAssassin-3.3.2_6
> sendmail+tls+sasl2-8.14.5
> opendkim-2.4.1
> sid-milter-1.0.0
>
> The milter section of my sendmail MC file looks like this:
>
> define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name},
> {if_addr}')dnl
> define(`confMILTER_MACROS_HELO',`s, {verify}, {tls_version}, {cipher},
> {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
> define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, _, {greylist}')dnl
> INPUT_MAIL_FILTER(`sid-filter', `S=unix:/var/run/sid-filter, F=T,
> T=R:30s')dnl
> INPUT_MAIL_FILTER(`dkim-filter',
> `S=unix:/var/run/milteropendkim/milter-opendkim.sock, F=T, T=R:2m')dnl
> INPUT_MAIL_FILTER(`spamassassin', `S=unix:/var/run/spamass-milter.sock, F=T,
> T=C:15m;S:4m;R:4m;E:10m')dnl
>
> The {greylist} in ENVRCPT is in there for the benefit of the greylist
> milter, which currently is disabled.
>
>
I'm not familiar with the FreeBSD ports tree, but if its
spamass-milter-0.3.2 is the same as the one from
http://www.freshports.org/mail/spamass-milter/ then it does -not-
add the auth tokens to its internally synthesized "Received" header.
Thus your problem.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: SPF tests and authenticated SMTP
Posted by nsayer <ns...@kfu.com>.
David B Funk wrote:
>
> Noel,
> I assume that you're saying he has a sendmail config problem because his
> SA isn't 'seeing' the auth tokens. That might not be the case, it may be
> his milter that is at fault.
>
> SA depends upon the auth tokens that your MTA adds to its "Received:"
> header to recognize properly authed messages.
> However in a sendmail+milter system, the milter gets the incoming mail
> stream -before- any local MTA additions. So it's the milter's
> responsibility to synthesize a "Received:" header in what it passes on to
> SA that faithfully mimics what the MTA would generate.
> Not all milters get that right, particularly with auth tokens.
>
> Nick,
> Which specific milter are you using and which version of that milter?
>
I'm using everything straight out of the FreeBSD ports tree:
spamass-milter-0.3.2
p5-Mail-SpamAssassin-3.3.2_6
sendmail+tls+sasl2-8.14.5
opendkim-2.4.1
sid-milter-1.0.0
The milter section of my sendmail MC file looks like this:
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name},
{if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {verify}, {tls_version}, {cipher},
{cipher_bits}, {cert_subject}, {cert_issuer}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, _, {greylist}')dnl
INPUT_MAIL_FILTER(`sid-filter', `S=unix:/var/run/sid-filter, F=T,
T=R:30s')dnl
INPUT_MAIL_FILTER(`dkim-filter',
`S=unix:/var/run/milteropendkim/milter-opendkim.sock, F=T, T=R:2m')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=unix:/var/run/spamass-milter.sock, F=T,
T=C:15m;S:4m;R:4m;E:10m')dnl
The {greylist} in ENVRCPT is in there for the benefit of the greylist
milter, which currently is disabled.
--
View this message in context: http://old.nabble.com/SPF-tests-and-authenticated-SMTP-tp33081983p33088864.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SPF tests and authenticated SMTP
Posted by Dave Funk <db...@engineering.uiowa.edu>.
Noel,
I assume that you're saying he has a sendmail config problem because his
SA isn't 'seeing' the auth tokens. That might not be the case, it may be
his milter that is at fault.
SA depends upon the auth tokens that your MTA adds to its "Received:"
header to recognize properly authed messages.
However in a sendmail+milter system, the milter gets the incoming mail
stream -before- any local MTA additions. So it's the milter's
responsibility to synthesize a "Received:" header in what it passes on to
SA that faithfully mimics what the MTA would generate.
Not all milters get that right, particularly with auth tokens.
Nick,
Which specific milter are you using and which version of that milter?
On Thu, 5 Jan 2012, Noel Butler wrote:
> Ack, you have far bigger problems then you realise given below...
> Question, you are smtp-auth'ing via port 587 aren't you? If you are, then your sendmail is incorrectly configured and I suggest you
> load the news group comp.mail.sendmail and ask there (given that would be OT for the SA list)
>
>
> On Wed, 2012-01-04 at 17:22 -0800, Nick Sayer wrote:
>
> Content analysis details: (9.1 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 2.4 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
> 0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
> [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=nsayer%40kfu.com;ip=166.250.45.174;r=quack.kfu.com]
> 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
> https://senderscore.org/blacklistlookup/
> [166.250.45.174 listed in bl.score.senderscore.com]
> 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
> [166.250.45.174 listed in zen.spamhaus.org]
> 0.0 HTML_MESSAGE BODY: HTML included in message
> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
> domain
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
> -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
> 0.4 RDNS_DYNAMIC Delivered to internal network by host with
> dynamic-looking rDNS
> 0.7 KHOP_DYNAMIC Relay looks like a dynamic address
> 0.0 HELO_MISC_IP Looking for more Dynamic IP Relays
>
>
>
>
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: SPF tests and authenticated SMTP
Posted by nsayer <ns...@kfu.com>.
Noel Butler wrote:
>
> Ack, you have far bigger problems then you realise given below...
> Question, you are smtp-auth'ing via port 587 aren't you?
>
>
Yes.
If you are,
> then your sendmail is incorrectly configured and I suggest you load the
> news group comp.mail.sendmail and ask there (given that would be OT for
> the SA list)
>
Perhaps I'm looking a gift horse in the mouth here, but that's sort of
reminds me of the opening scene of an Indiana Jones movie where someone
gives a vague clue to the hero that the next step in their quest lies in
Istanbul and then promptly dies without being more specific.
--
View this message in context: http://old.nabble.com/SPF-tests-and-authenticated-SMTP-tp33081983p33088904.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SPF tests and authenticated SMTP
Posted by Noel Butler <no...@ausics.net>.
Ack, you have far bigger problems then you realise given below...
Question, you are smtp-auth'ing via port 587 aren't you? If you are,
then your sendmail is incorrectly configured and I suggest you load the
news group comp.mail.sendmail and ask there (given that would be OT for
the SA list)
On Wed, 2012-01-04 at 17:22 -0800, Nick Sayer wrote:
> Content analysis details: (9.1 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 2.4 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
> 0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
> [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=nsayer%40kfu.com;ip=166.250.45.174;r=quack.kfu.com]
> 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
> https://senderscore.org/blacklistlookup/
> [166.250.45.174 listed in bl.score.senderscore.com]
> 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
> [166.250.45.174 listed in zen.spamhaus.org]
> 0.0 HTML_MESSAGE BODY: HTML included in message
> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
> domain
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
> -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
> 0.4 RDNS_DYNAMIC Delivered to internal network by host with
> dynamic-looking rDNS
> 0.7 KHOP_DYNAMIC Relay looks like a dynamic address
> 0.0 HELO_MISC_IP Looking for more Dynamic IP Relays
>
Re: SPF tests and authenticated SMTP
Posted by Nick Sayer <ns...@kfu.com>.
Spam detection software, running on the system "quack.kfu.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
The administrator of that system for details.
Content preview: On Jan 4, 2012, at 4:45 PM, Noel Butler wrote: > On Wed, 2012-01-04
at 12:51 -0800, nsayer wrote: >> >> I'm running a brand new installation
of SA 3.3.2 with the Milter on FreeBSD >> 8.2. >> >> Everything is going smoothly,
for the most part (there seems to be one >> particular spammer who's evading
SA, but whatever), but there's one little >> thing that bugs me slightly.
>> >> I use authenticated SMTP to send e-mail. The SPF records for my domain
>> (kfu.com) basically say that mail must come from my mail server and nowhere
>> else. However, my expectation is that my mail server should make an >>
exception if (and only if) the mail is sent with SMTP AUTH. >> >> However,
such mail winds up getting SPF_FAIL in the SA report. >> > > Ummm, I know
I'm still in holiday mode (at least for another 4 days wahhhhh) but, you're
not making sense, > If they are using smtp auth, then the server is what
gets the mail and sends it, so, so long as that server is in your SPF RR entry,
then the receiving server should only care about that. [...]
Content analysis details: (9.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.4 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=nsayer%40kfu.com;ip=166.250.45.174;r=quack.kfu.com]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[166.250.45.174 listed in bl.score.senderscore.com]
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[166.250.45.174 listed in zen.spamhaus.org]
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
0.7 KHOP_DYNAMIC Relay looks like a dynamic address
0.0 HELO_MISC_IP Looking for more Dynamic IP Relays
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
Re: SPF tests and authenticated SMTP
Posted by Noel Butler <no...@ausics.net>.
On Wed, 2012-01-04 at 12:51 -0800, nsayer wrote:
> I'm running a brand new installation of SA 3.3.2 with the Milter on FreeBSD
> 8.2.
>
> Everything is going smoothly, for the most part (there seems to be one
> particular spammer who's evading SA, but whatever), but there's one little
> thing that bugs me slightly.
>
> I use authenticated SMTP to send e-mail. The SPF records for my domain
> (kfu.com) basically say that mail must come from my mail server and nowhere
> else. However, my expectation is that my mail server should make an
> exception if (and only if) the mail is sent with SMTP AUTH.
>
> However, such mail winds up getting SPF_FAIL in the SA report.
>
Ummm, I know I'm still in holiday mode (at least for another 4 days
wahhhhh) but, you're not making sense,
If they are using smtp auth, then the server is what gets the mail and
sends it, so, so long as that server is in your SPF RR entry, then the
receiving server should only care about that.
~$ host -t spf kfu.com
kfu.com has no SPF record
It is not the problem, but fix the above, as SPF in TXT is deprecated
and has been for years.
~$ host -t txt kfu.com
kfu.com descriptive text "v=spf1 mx -all"
As 'quack' is in the above, and so long as you are not using a smart
host, there is no reason, when sending via quack, that it should fail.
> Here's a received header example:
>
>
> Received: from {my laptop} ({hostname of NAT gateway it happens to be
> behind} [x.x.x.x])
> (authenticated bits=0)
> by quack.kfu.com (8.14.5/8.14.5) with ESMTP id q04K12lj052202
> (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO)
> for <ns...@kfu.com>; Wed, 4 Jan 2012 12:01:05 -0800 (PST)
> (envelope-from nsayer@kfu.com)
>
> I assert that Mail::SPF should regard Received: headers that have the
It should only ever look at the connecting server, nothing else.
Further.. get rid of sid-milter, what an abomination, I dont think even
micro$lop use sid anymore, last time I had to look into it.
This could be your problem.
Since you're using sendmail, try smf-spf.
Re: SPF tests and authenticated SMTP
Posted by nsayer <ns...@kfu.com>.
More info...
I've added sid-filter to the mix, and now I'm getting this additional
header:
Authentication-Results: quack.kfu.com; sender-id=fail (NotPermitted)
header.from=nsayer@kfu.com; auth=pass (PLAIN); spf=fail (NotPermitted)
smtp.mfrom=nsayer@kfu.com
But Mail::SpamAssassin::Plugin::SPF does this:
elsif ($hdr =~ /^Authentication-Results:.*;\s*SPF\s*=\s*([^;]*)/i) {
which ignores the 'auth' result.
--
View this message in context: http://old.nabble.com/SPF-tests-and-authenticated-SMTP-tp33081983p33082117.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.